On 13 September 2023, negotiations began between European institutions to adopt the text of the EU Cyber Resilience Act (the “CRA”). If adopted, the CRA will impose a set of software security, cybersecurity, and vulnerability management requirements on products with digital elements (i.e., software or hardware products and their remote data processing solutions) placed on

The EU Digital Operational Resilience Act (“DORA”) entered into force in January 16, 2023, setting forth security requirements for network and information systems of organizations operating in the financial sector;

Obligations under DORA are to be further detailed by Regulatory Technical Standards (“RTS”) and Implementing Technical Standards (“ITS”), aimed at harmonizing requirements and facilitating implementation;

On July 10, 2023, the European Commission (“Commission”) adopted an adequacy decision for the EU-US Data Privacy Framework (“DPF”). The DPF is the successor to the EU-US Privacy Shield, which the Court of Justice of the European Union (“CJEU”) declared invalid in 2020.

This adequacy decision reflects agreement by the Commission that the DPF offers

The European Parliament adopted a Resolution on 11 May 2023 against the adoption of an EU adequacy decision for the US based on the EU-US Data Privacy Framework (DPF). The Resolution comes after an analysis by the European Parliament of the Executive Order on Enhancing Safeguards For United States Signals Intelligence Activities (EO 14086), which

With an effective date of February 17, 2024, the Digital Services Act (“DSA”) will start applying to most online platform providers in less than a year. The DSA, which introduces due diligence and transparency obligations regarding algorithmic decision-making by online platforms, such as social media, video sharing or e-commerce, entered into force on November 16,

On February 28, 2023, the European Data Protection Board (“EDPB”) issued its opinion on the draft adequacy decision of the European Commission (the “Commission”) on the new EU-US Data Privacy Framework (“DPF”). The EDPB expressed reservations in connection with the DPF, which will now undergo scrutiny by other European institutions.

Who Should Read This Legal

On 13 December 2022, the European Commission published its draft adequacy decision for EU-U.S. data transfers. The draft decision follows the EU-U.S. announcement of an agreement on a new EU-U.S. Data Privacy Framework (“DPF”) in March 2022 as well as the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (“Executive Order”) signed

Companies that rely on standard contractual clauses (“SCCs”) for transferring personal data from the European Economic Area (“EEA”) to jurisdictions not considered to offer an adequate level of data protection under the EU General Data Protection Regulation must ensure that none of their existing contracts use the old SCCs after 27 December 2022.

Businesses are

The European Commission’s proposal to establish a European Health Data Space (“EHDS”) aims to improve access by individuals to their health data (primary use) and facilitate the re-use of health data for societal good across the European Union (secondary use).

While the draft EHDS regulation might easily get lost in an alphabet of

On October 7, 2022, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities,1 which is intended to implement U.S. commitments under the Trans-Atlantic Data Privacy Framework (DPF) announced in March 2022. With the new executive order, the Biden administration aims to strengthen the legal foundation for trans-Atlantic